Office 2008 install issues

A pair of installation-related problems involving the new release of Microsoft’s Office 2008 won’t cause damage to your data or prevent the productivity suite from running. But the issues, discovered by a user, pose potential security and administrative headaches. Microsoft is vowing fixes for both.

Issue No. 1: UID 502. Office 2008’s installation problems first came to light thanks to Mac user Joel Bruner, who noted both issues in posts on his blog earlier this week. The first issue relates to file ownership, and requires some basic understanding of user accounts and installations in Mac OS X.

Every user account on your Mac has an associated user ID number (UID); Mac OS X uses these UIDs, rather than account names, to track which users have what access to various files and actions. When you initially set up your Mac, the first user account created is given UID 501 and has administrative access. The second account created gets UID 502 and whatever account status — admin, standard, or managed — the administrator gives the the account. The third user gets UID 503, and so on.

Normally, when you install software using Apple’s Installer utility, each installed file is owned by either the system, by a specific user account as determined by the developer and laid out in the installation package, or by the user account performing the installation.

However, as Bruner pointed out in one blog entry, the Office 2008 installation doesn’t do any of these things. Instead, the installation package installs almost all of its files — and their enclosing folders — with the owner set to user ID 502. This occurs regardless of which user account runs the installer, and regardless of the administrative status of UID 502.

If UID 502 is an administrative account on your Mac, this may not be an issue, as you’ve presumably given that account admin status for a reason. However, if you set up the second account on your Mac without administrative privileges, that account will still end up with free reign over all of Office’s components, and thus the ability to delete or alter /Library/Fonts/Microsoft, /Library/Application Support/Microsoft, and /Applications/Microsoft Office 2008, as well as the contents of these folders. (The installation for the Special Media Edition of Office 2008 also creates the folder /Library/Automator if it didn’t already exist, and gives UID 502 ownership of that folder, as well.) For instance, the user could replace a legitimate file with something else and even make that file executable (see below).

Similarly, if you’ve set up the second account on your Mac as a non-admin account for your own everyday use — ostensibly to prevent yourself from accidentally screwing things up — this “safety” account will have the power to delete or otherwise alter the Office 2008 installation.

Many users won’t notice this situation, but it potentially poses a security issue, as it could provide a non-admin user the ability to modify files that would normally be accessible only to administrators.

Note that UID 502 will be set as the owner of Office 2008 files even if you’ve never created a second user account on your Mac — meaning your Office files will be owned by a user that doesn’t exist. This is actually a preferable scenario, as a user that doesn’t exist can’t modify files.

Issue No. 2: Execute! Bruner also discovered a second problem: Every file in the Office 2008 installation is executable. This means, speaking generally, that files — even things such as clip art and help files — are seen by OS X as “programs” and, if a particular file has executable code, can be run.

This problem should not affect normal use of Office 2008, but security experts generally frown upon the idea of thousands of unnecessarily-executable support files sitting on a drive. Such a situation isn’t necessarily dangerous, but it opens up avenues for possible security exploits.

For example, if a security vulnerability were to be discovered in one of the more than 42,000 files installed by Office 2008, such a vulnerability could be easier to exploit if the file is executable. The only Office 2008 files that actually need to be executable are the actual programs, as well as folders.

What you can do. Although Office 2008 is the first major Microsoft product to use Apple’s Installer system, security experts were surprised by these mistakes. “It’s not good and a clear violation of Microsoft’s standards,” said analyst Rich Mogull, who writes about security issues for Securosis and TidBITS as well as Macworld. “This should not have occurred considering how rigid [Microsoft’s] Security Development Life Cycle is. By potentially allowing a non-privileged user to change system-wide files, it could allow an attacker to cross trust boundaries and execute code in another user’s context.”

Mogull notes, however, that the security implications are, for now, theoretical rather than immediate: “The combination of the two issues is problematic, but it’s one of those issues we need to bring to light, not panic about quite yet.”

For its part, Microsoft takes the two issues seriously, says Geoff Price, product unit manager for the company’s Macintosh Business Unit.

“The Mac BU team is aware of reports regarding Office 2008 installing to a folder that potentially allows a local non-Admin user access to program files,” Price said. “This issue should only affect machines that have a second local user account enabled; other scenarios should not be affected.”

Microsoft also acknowledged the second issue. The company will be providing a free, downloadable update that fixes both issues; in addition, future pressings of the Office 2008 installation disc will include an updated installation package that installs all files with the proper attributes. (A release date for the update wasn’t available at the time of publication; we’ll update this story once we get that information.)

This procedure properly assigns ownership of all Office 2008 components to the system. Unfortunately, there’s no simple fix for the issue of all Office 2008 files being executable. Because some files do indeed need to be executable, you can’t modify all the files en masse. Users will have to wait for the update from Microsoft to address this issue.

If you’re especially concerned about security and you decide to uninstall Office 2008, note that the included Uninstall utility doesn’t fully remove all components. It apparently moves only the Microsoft Office 2008 folder (in /Applications) to the Trash, leaving /Library/Fonts/Microsoft, /Library/Application Support/Microsoft, and all of Office’s included Automator actions in place.